maria-developers team mailing list archive

Thread
Date

Re: 784cc5970dd: MDEV-19650: Privilege bug on MariaDB 10.4

To: Oleksandr Byelkin <sanja@xxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Tue, 21 Apr 2020 13:25:45 +0200
Cc: maria-developers <maria-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CADYFmDRNN+nQv1m9K-4Vm3+90cC8sgWy-HeaaAEqWBwFS2Hz4Q@mail.gmail.com>
User-agent: Mutt/1.10.1 (2018-07-13)

Hi, Oleksandr!

On Apr 21, Oleksandr Byelkin wrote:
> >
> OK, INSERT probably is not needed, but we have tons  (more than 40 I think)
> of DELETE in our tests (and so UPDATE should work).

Yes, the view is delete-able and some columns are update-able.
So, let's keep these privileges.

INSERT and LOAD never worked.

> Also we have not LOAD but this:
> 
> rpl.rpl_current_user 'stmt'              w7 [ fail ]
>         Test ended at 2020-04-21 09:34:44
> 
> CURRENT_TEST: rpl.rpl_current_user
> mysqltest: In included file "./include/diff_tables.inc":
> included from
> /home/sanja/maria/git/10.4/mysql-test/suite/rpl/t/rpl_current_user.test at
> line 65:
> At line 170: query 'SELECT * INTO OUTFILE '$_dt_outfile' FROM
> $_dt_database.$_dt_table ORDER BY `$_dt_column_list`' failed: 1356: View
> 'test.v_user' references invalid table(s) or column(s) or function(s) or
> definer/invoker of view lack rights to use them

This must be a bug. If one does

  SELECT * INTO OUTFILE FROM some.view

than the current user should have FILE, not the view definer.

Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx

References

Re: 784cc5970dd: MDEV-19650: Privilege bug on MariaDB 10.4
From: Sergei Golubchik, 2020-04-20
Re: 784cc5970dd: MDEV-19650: Privilege bug on MariaDB 10.4
From: Sergei Golubchik, 2020-04-20
Re: 784cc5970dd: MDEV-19650: Privilege bug on MariaDB 10.4
From: Sergei Golubchik, 2020-04-20